---
id: migrating-from-mitreid
title: Migrating from MITREid
---

:::info

Please note this page doesn't pretend to be a step-by-step guide.

:::

This piece of documentation will try to give you some hints to move your current
MITREid instance to Hydra.

#### Scopes

Scopes in hydra doesn't have a relational entity, every client defines its own
array of scopes.

#### Scope vs Scp

Since hydra uses scp as the scope claim, you have to be sure your client
libraries are capable to use both, we had to modify the behavior of our version
of spring.security.oauth2 library following the example:
[Custom claim](https://dev.to/toojannarong/spring-security-with-jwt-the-easiest-way-2i43)

#### Query String Parameters

MITREid doesn't mind if the parameters are passed in the body or in the query
string. In order to work with hydra, you have to migrate all your calls that are
using QS params to Body Parameters.

For example, you should move from

```
curl -X POST  http://127.0.0.1/mitreid-server/token?grant_type=client_credentials -H "Authorization: $AUTH" ...
```

to

```
curl -X POST  http://127.0.0.1/mitreid-server/token -H "Authorization: $AUTH" --data-urlencode 'grant_type=client_credentials' ...
```

#### Scope Strategies if no scope is requested

The last pitfall found during the migration was the difference of behaviour when
performing the `client_credentials` grant without specifying a scope. By default
ORY Hydra returns an empty scope, but MITREid grants the default scope for the
OAuth 2.0 Client.

To change the behaviour in ORY Hydra, either set environment variable
`OAUTH2_CLIENT_CREDENTIALS_DEFAULT_GRANT_SCOPE=true` or alternatively add to ORY
Hydra's configuration file:

```yaml title="path/to/hydra.yaml"
oauth2:
  client_credentials:
    default_grant_allowed_scope: true
```

Once set, ORY Hydra will behave like MITREid and grant the OAuth2 Client's scope
when an empty scope is requested for a `client_credentials` grant.
